US Gov't Agencies Freak Out Over Juniper Backdoor; Perhaps They'll Now Realize Why Backdoors Are A Mistake

from the wishful-thinking dept

Last week, we wrote about how Juniper Networks had uncovered some unauthorized code in its firewall operating system, allowing knowledgeable attackers to get in and decrypt VPN traffic. While the leading suspect still remains the NSA, it's been interesting to watch various US government agencies totally freak out over their own networks now being exposed:

The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems "with the highest priority."

The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.

One U.S. official described it as akin to "stealing a master key to get into any government building."

And, yes, this equipment is used all throughout the US government:

Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that "US intelligence agencies require."

Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.

And, of course, US officials are insisting that it couldn't possibly be the NSA, but absolutely must be the Russians or the Chinese:

The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn't reached conclusions.

Yeah, sure. Anything's possible, but the NSA still has to be the leading suspect here, and the insistence that it's the Chinese or the Russians without more proof seems like a pretty clear attempt at keeping attention off the NSA.

And, of course, all of this is happening at the very same time that the very same US government that is now freaking out about this is trying to force every tech company to install just this kind of backdoor. Because, as always, these technically illiterate bureaucrats still seem to think that you can create backdoors that only "good" people can use.

Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours.

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”

Putting backdoors into technology is a bad idea. Security experts and technologists keep saying this over and over and over and over again -- and politicians and law enforcement still don't seem to get it. And, you can pretty much bet that even though they now have a very real world example of it -- in a way that's impacting their own computer systems -- they'll continue to ignore it. Instead, watch as they blame the Chinese and the Russians and still pretend that somehow, when they mandate backdoors, those backdoors won't get exploited by those very same Chinese and Russian hackers they're now claiming were crafty enough to slip code directly into Juniper's source code without anyone noticing.

Re: One of 3 possibilities here - NSA, CIA, FBI

Well, I wouldn't say for sure it was the NSA, or the CIA or FBI for that matter. It is still possible this bad idea was the brain child of some programmer at Juniper who put it in for debugging or something, and never took it out.

Though I would say that you can bet your ass that the NSA found it years ago and didn't tell anyone so that they could exploit it. Not all that much different from putting it in themselves I'd say.

Re: Re: One of 3 possibilities here - NSA, CIA, FBI

Re: Re: One of 3 possibilities here - NSA, CIA, FBI

Based on the hard-coded password:

<<< %s(un='%s') = %u

Who put it in is an open question, but based on the deliberate obfuscation, it was likely intended to be a surreptitious backdoor that would make it past automated code auditing routines into production firmware.

I'm in shock!

Of course it wasn't the U.S. they would never do such a thing. Juniper is wrong to point out the backdoor. Now the terrorists have won. In removing the back door, LEOS will never be able to do their jobs ever again.

It makes me wonder about other firmware now. How many others are there? The NSA should insist on inspecting and fixing back doors other "sophisticated" countries have been able to put in. Of course since this was made public, a more sophisticated back door has since been implemented.

I think this article is mixing the two vulnerabilities in ScreenOS found. The first is the VPN vulnerability, it was perhaps not put in by the NSA, but due to the NSA mucking around with NIST created the issue(DUAL_EC_DBRG). Check Bruce Schneier's explaination: link. The second is the SSH backdoor also put in by an unknown party and this is unknown how it got into the system code. Fox-IT revealed this password by checking out the patch for it, so anyone with open SSH (never a good thing), and unpatched ScreenOS Juniper is liable to be compromised at the any level since it backdoors into shell mode. A quick Shodan search could probably cripple some companies, so it's definitely serious.

Should be able to track it down.

Certainly any major code like this is managed with a code repository, such as git, SourceSafe, or mercurial. We should be able to figure out where the offending code came from, or at least who was involved in it. Of course, if it's the NSA it will likely be the last we hear of it.

Re: Mike, you just don't seem to get it

I don't think of it as a backdoor, I like to think of it as magic window frosting that can be dropped or lifted when the good intentions of a Government employee is weighed and proven to be lighter than, a school bus.

Thing is, while I am not a government hack, I am an optimist, I know if the US government reflects on events like this, they will realize that weakened security for surveillance reasons is an epically stupid idea, and persist in asking for it anyway.

Re: Re: Mike, you just don't seem to get it

Since EULAs are apparently absolutely binding, why not just have a click through agreement where you agree and certify that you will not be accessing anyone's secret data for any improper purpose. Then we could do away with encryption and the whole problem goes away.

Re: Re: Re: Mike, you just don't seem to get it

A magical golden key to the back door is a wonderful solution to this problem.

The golden key only works for those with pure intentions.

If someone in the government goes bad, the golden key no longer works for them.

Why can't anyone understand something so simple? A magical golden key to the back door would solve all our problems. Good guys can get in. Bad guys can not. If silicon valley could bring their pixee dust, and law enforcement could bring their genuine unicorn horn powder, and they get together, surely we could solve this problem.

Re: Mike, you just don't seem to get it

I don't think you get it DannyB, the whole point of the article is that what the NSA wants is what has happened here. So their claims that a "golden key" would work are ludicrous... Yes, they want a backdoor that only the "good guys" can use, but the problem is any backdoor that has a key can be gotten into by anyone with the same key. If you have one, whether you're a "good guy" or a "bad guy", you can open the lock. Also, who's to say that "good guy" is good 100% of the time? We have LoveInt for a reason... (don't know what it is? look it up!)

Shhhhh

Hillary Clinton says she wants her Blackberry to work over Juniper protected networks so she can discuss the details of her New Manhattan project in secret using her private email server in order to keep the important information away from the bad guys.

Just ScreenOS?

I just finished installing a bunch of Juniper hardware, running JunOS... even though everything I've seen points to ScreenOS equipment, now I have to spend time and effort looking again at our JunOS equipment. Sigh.

Re: Re: Just ScreenOS?

Exactly, this affects legacy EOL firewalls that went bye bye years ago. It does not affect any newer Juniper JUNOS based products. The ScreenOS products have been out of production and EOL for 3+++ years. Also "some_guy". Do a fact check on your info. It's easy, it's called Google. juniper is a 100% owned US company on the NYSE. Your info is so wrong.

Re:

Deja Vu

Of course it's the Chinese or Russians, just like it was North Korea not laid-off Sony employees who did the Sony data breach. Aren't these law enforcement the same clowns who pushed the blame on North Korea despite the evidence?

Re:

Wait, what?

> The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door.

This seems to be an open admission that the USA has the least sophisticated spy agencies in the world.

Liability

If the NSA is responsible for the security of our nation, and the t knew about this exploit/back door. Then can the NSA be held liable for all the damage done to national security. After all, wouldn't this be grounds to get fired at least, or grounds of treason for allowing the opponent the opportunity to attack us.

Russians or Chinese - PUHleeeze

Juniper is owned by Israelis and the Israelis have been spying on the US for decades. They've installed back doors on ALL of the equipment and software they supply to US corporations and government entities - they can easily hack into any of the telecomms and listen to phone conversations directly (just one example). Doesn't surprise me that their controlled media would try to blame someone else ... it's SOP for Israel....

Re: Russians or Chinese - PUHleeeze

Juniper is owned by Israelis and the Israelis have been spying on the US for decades. They've installed back doors on ALL of the equipment and software they supply to US corporations and government entities - they can easily hack into any of the telecomms and listen to phone conversations directly (just one example). Doesn't surprise me that their controlled media would try to blame someone else ... it's SOP for Israel....

Uh... Juniper was founded at Xerox PARC in the United States by an Indian-American. They're still headquartered in the US and as far as I know, their biggest stakeholders are American investment firms.

Please follow up with information on your claim that they're owned by Israelis.

Why so angry?

I think you are misunderstanding...

The government thinks that if there is a back door, they can use it on us but not on them. Sadly noone realizes if there is a "back door" so they can access our information, then there is a back door that anyone can use to access the government's information. All those emails? Secure communications? data? military movements? All will be seen by everyone putting not only the soldiers at risk like you seem to want to blame Snowden for, but us Citizens themselves.

Remember the fiasco with Cisco routers being stopped in route to put in spyware by the NSA? Duh. We have another company who no one on the globe will want to purchase their products for because of this 'hack'. Keep this up with the tech companies of Silicon Valley and before very much longer the US will no longer be a tech leader that others want products from.

Re:

I still think this is a brilliant master plan by the government to turn the US into such a third world stink hole that no terrorist would bother attacking us. The only alternative is that the government is so arrogant, they didn't think they could ever be caught.

Re: Cisco fiasco...

Wasn't there a similar problem where purchase of Chinese made routers was highly discouraged because of potential for Chinese capture of traffic? Then again, the NSA could just as easily intercept Chinese made routers and Internet information available to two governments.

IIRC, wasn't it recommended that purchasers of Cisco routers send a vehicle to the Cisco manufacturing facility for transport? Maybe they're made outside the US.

Incompetent Noobs

US Gov't Agencies Freak Out Over Juniper Backdoor; Perhaps They'll Now Realize Why Backdoors Are A Mistake

This is gross incompetence on behalf of all the US government know-nothing nitwits involved.

How many billions of US dollars were squandered on this boondoggle?

Will these incompetent noobs be held to account?

Unfortunately failing spectacularly while working for the US government means failing upward so these worthless noobs will be promoted. After their promotions the noobs can then testify before congress about how they too believe in unicorns.

Ha

This Is Not About No Backdoors!

Such wonderful, patriotic Americans. They comprimise National Security by Wilfully Betraying NSA secret Technologies like this. Luckily they found and exposed these nefarious Spying Backdoors put in by Unauthorized Foreign Parties. Did they check with teh Government before telling every Tom Dick and Harry about this? We need more people like this Guarding our FREEDOMS. They should be LOCKED UP for threatening our National Security! They help America stay safe! They are destroying the safety of America!

Our people, who buy 0 day exploits to abuse, would NEVER do something like this.

The problem has to be bad guys did this because they didn't have our pure intentions anyone could access the backdoor.

Perhaps this might put the tiniest little idea in their heads that the people who inform them of how they are supposed to vote & what to say in the media might not be fully truthful. That maybe they should look to be educated about topics they wish to rule on beyond a talking points memo attached to a "donation"... but then that old line comes to mind... money talks.